Maybe if you made all the info public, keep users up to date with what’s happening? Maybe you already do, I don’t know. 

 Still hard to prove tho 

 I think you can probably declare its process clearly in some deployment script or Dockerfike published in public (github, gitlab, etc). Using Github/gitlab CI deployment script to push it automatically into any your PaaS/server provider. All the process will be transparent and can be verified.

Example:
- https://dev.to/ruthmoog/deploying-a-project-to-flyio-with-github-actions-2c7e
- https://fly.io/docs/app-guides/continuous-deployment-with-github-actions/#:~:text=create%20.github/workflows/fly.yml%20with%20these%20contents%3A 

 This looks interesting. I host on dedicated hardware, but might be able to do something like this with caprover. 

Thanks for the links. 

 Ya I was thinking about this... we could do independent audits.. but probably would need to be done by someone who doesn't run a relay?  Ie, I could verify you, but then it'd be fishy if you verified me lol.. 🤔 

 Basically, we could give non-superuser ssh access to one of the security folks that we trust, so that they could at any time, ssh in and verify the logs are not being kept.  Then they publish what they find periodically.  Kind of like how companies do independent security audits. 

 What about this? https://audgit.ai/ 

 Auditing the code is not enough, we would need to audit the state of the server since most of these servers allow ssh access the state of the system can be changed at any time by an operator. 

 An even further issue is that in the case of allowing an auditor in, it would expose secrets as well. 

 This is cool, but yeah, it’d have to be combined with something to audit to deployment as well.